Editors

Get Updates via E-mail

Disclaimer

The content of this blog is intended for informational purposes only. It is not intended to solicit business or to provide legal advice. Laws differ by jurisdiction, and the information on this blog may not apply to every reader. You should not take, or refrain from taking, any legal action based upon the information contained on this blog without first seeking professional counsel. Your use of the blog does not create an attorney-client relationship between you and Arnold & Porter LLP. Click here to view additional disclaimer language.

February 24, 2016

FTC Settles Charges with Data Brokers for Misuse of Consumer Data

On February 18, the FTC settled a complaint against multiple data broker defendants for their alleged unlawful sale of consumer payday loan applications containing account numbers, Social Security numbers, and other sensitive personal data. The stipulated orders against defendants Leads Company, LLC, LeapLab, LLC, and John Ayers include a cumulative monetary judgement of $5.7 million. And a $4.1 million judgment was entered against the remaining defendant, SiteSearch Corp. The orders prohibit the defendants from transferring consumer information to third parties and from misleading consumers about the likelihood of obtaining credit, and require the defendants to destroy all consumer data in their possession.

The defendants operated as data brokers for online lenders, collecting personal financial information that consumers had submitted to payday loan websites for loan application purposes. It is typical for data brokers to gather and transfer such loan application data to online lenders; however, according to the FTC, these defendants transferred only 5 percent of the applications obtained to online lenders, while selling the remaining 95 percent at below market rates to non-lenders, including telemarketers, other data brokers who aggregated and resold the consumer data, and online merchants that fraudulently used the data to charge consumers for financial products that were never purchased.

The FTC alleged that the defendants sold millions of loan applications containing sensitive personal information to such non-lenders. Further, it alleged that the defendants continued to sell such data to one purchaser, Ideal Financial, despite their knowledge that Ideal Financial was using the data to make millions of unauthorized debit charges to consumers’ bank accounts. The FTC charged that these actions, individually and collectively, were unfair practices in violation of the FTC Act.

The FTC’s settlement takes place amid its pronounced effort to enhance the protection of consumer privacy, in part by policing the collection and use of sensitive personal information. With respect to data brokers specifically, the settlement is the latest example of regulatory scrutiny of such brokers and the lead generation industry. In May 2014, the FTC published a study, Data Brokers: A Call for Transparency and Accountability, which found that data brokers are engaged in the collection, storage, and transmission of billions of consumer data elements, much of which is obtained and transmitted without consumer knowledge or consent. The study called on Congress to enhance transparency of data broker activities through greater consumer disclosure. Subsequently, in October 2015, the FTC held a workshop on the lead generation industry entitled Follow the Lead, which was aimed at shedding light on the mechanics of the industry and potential consumer protection concerns. Separately, just two months later, the CFPB took action against a lead generator for selling sensitive consumer data to purchasers that were not properly vetted and who subsequently used the data to defraud customers.

These regulatory actions underscore the need for entities that collect consumer information to ensure they adequately inform consumers of their data collection and use practices, and that those practices include storing personal consumer information securely and using it in a transparent manner and for legitimate purposes. Furthermore, if companies are providing sensitive personal data, such as Social Security numbers, account numbers, or health information, to third parties, they should bear in mind that the FTC and other regulatory agencies will closely examine who is receiving the data and what they are doing with it.